CVE-2023-37903
Published: 21 July 2023
Summary
CVE-2023-37903 is a critical-severity OS Command Injection (CWE-78) vulnerability in Vm2 Project Vm2. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
vm2 is an open source sandbox for Node.js that is affected by CVE-2023-37903 in all versions through 3.9.19. The flaw resides in the handling of Node.js custom inspect functions, which can be abused to break out of the sandbox and execute arbitrary code. The issue carries a CVSS score of 9.8 and is tracked under CWE-78.
An attacker who already possesses an arbitrary code execution primitive inside a vm2 sandbox can exploit the inspect function to escape isolation and obtain remote code execution on the host. No authentication or user interaction is required, and the attack can be performed over the network.
The referenced GitHub advisory GHSA-g644-9gfx-q4q4 and associated NetApp bulletins state that no patches exist and no workarounds are known, advising users to migrate to alternative sandboxing solutions. The EPSS score has remained at 0.4009 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2054
Vulnerability details
vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the…
more
attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.